localhost loopback network is part of the internet

I have a program that runs as a service and a client that connects to that service to control it. The client accesses the service using the local loppback adapter at 127.0.0.0 and ZoneAlarm says the program wants to connect to the internet. The loopback adapter is part of the local network.
I would rather not allow "the internet" to access either the service or have the client access "the internet" because 127.0.0.1 is treated as an internet address.
ZoneAlarm should always treat the following address ranges as local by default, they're never internet addresses:

192.168.0.0
10.0.0.0
127.0.0.0
Whichever network mask the network adapter is set to

I'm not yet that much familiar with IPv6 and I haven't tested that one, but ::1 should also be part of the local network, if it isn't.

Also, the local IP and the loopback addresses should always be part of the trusted zone, I've never heard of 127.0.0.1 or ::1 to lead to another machine, unless a forwarding service is running at the particular port (which would need to be granted trusted and/or internet access first).

Re: localhost loopback network is part of the internet

Hi!

I am not sure I understand your problem. Those addresses mentioned (192.xx, 10.xx, 127.xx) are never reachable from the outside and they are usually assigned to your LAN depending on your configuration.

Contrary to many solutions out there ZA does differentiate between localhost/trusted/Internet giving you the option to set it at your wish. You will define what is trusted and what is internet. Normally at install ZA automatically add your PC IP (127.0.0.1) to the trusted zone. The definition of "local" as you define it is not a necessary or considered variable linked to the functioning of ZA. ZA is designed with trusted and internet zones.

If you receive a warning about a program wanting to access the internet zone you have, most likely, not assigned to that address or block of addresses the status as TRUSTED, otherwise it should have said that the program is trying to access to your trusted zone (i.e. trusting a single IP does not entail the trusting of all the IPs in that block).

Not sure this is answering you question. If not, feel free to contact the ZA technical support. They may be able to better explain it to you.

Re: localhost loopback network is part of the internet

Originally Posted by fax

I am not sure I understand your problem. Those addresses mentioned (192.xx, 10.xx, 127.xx) are never reachable from the outside and they are usually assigned to your LAN depending on your configuration.

They would be reachable on the local network, say in a coffee shop, if I were to click "allow" when asked, just like most users would, or the application wouldn't work if I clicked "deny".

Originally Posted by fax

Normally at install ZA automatically add your PC IP (127.0.0.1) to the trusted zone. The definition of "local" as you define it is not a necessary or considered variable linked to the functioning of ZA. ZA is designed with trusted and internet zones.

I just installed it on a newly set up machine, and it doesn't do that. It asks, if the connected network is part of the trusted zone or not. The loopback adapter is not included into the trusted zone by default. It however should. Including IPv6 addresses, hosts or ranges isn't possible.

Originally Posted by fax

If you receive a warning about a program wanting to access the internet zone you have, most likely, not assigned to that address or block of addresses the status as TRUSTED, otherwise it should have said that the program is trying to access to your trusted zone (i.e. trusting a single IP does not entail the trusting of all the IPs in that block).

I'm completely aware of the manual configuration part, it's just that treating IP adresses that can never be internet addresses as such shouldn't even be possible, since it could lead users that aren't aware of the fact that by allowing internet access via the buttons in the popup dialog they are allowing everything and not just access to that local IP, for which the firewall thinks is on the internet. There are trusted address ranges, untrusted internet adresses and untrusted local addresses. Trusting the internet also trusts the local network.

This isn't particularly a support issue, it's something that should be fixed with the next version of the software, because this flaw can easily lead inexperienced users to misconfigure the firewall.

Re: localhost loopback network is part of the internet

They would be reachable on the local network, say in a coffee shop, if I were to click "allow" when asked, just like most users would, or the application wouldn't work if I clicked "deny".

Yes, correct. I think it may help you could think about the ZA Internet zone as "UNtrusted". This may simplify your confusion on Internet, local, etc...

Originally Posted by dorianmuthig

I just installed it on a newly set up machine, and it doesn't do that. It asks, if the connected network is part of the trusted zone or not. The loopback adapter is not included into the trusted zone by default. It however should. Including IPv6 addresses, hosts or ranges isn't possible.

Yes, normal. At every new clean install you will get a pop-up to ask you where to place the network you are connecting to. If you trust the network then you choose TRUSTED if not Internet. In the case of the coffee shop you will allocate it to the internet (=UNtrusted). You may want to look for the on-line instruction where this is explained clearly. Also the pop-up gives some explanations.

Yes, 127.0.0.1 is normally added to the trusted zone. Don't know why is not in yours.

Originally Posted by dorianmuthig

it's just that treating IP adresses that can never be internet addresses as such shouldn't even be possible

This is because you mix ZA "Internet zone" with Internet. Think instead about trusted and UNtrusted locations. These addresses can never be internet but they can be trusted or untrusted. Also you are mixing up network access trusting/untrusting with program having access to certain IPs. Allowing the X program to access the internet zone (untrusted) does not mean the internet can access your system.

Originally Posted by dorianmuthig

This isn't particularly a support issue, it's something that should be fixed with the next version of the software, because this flaw can easily lead inexperienced users to misconfigure the firewall.

I am afraid I fail to see anything to fix and you don't need to convince me about it . But if you think so you should direct yourself to ZA technical support and report it. We are all users here.

Re: localhost loopback network is part of the internet

You don't see anything to fix? Seriously?

It's simple: A newly installed ZA only includes the local network of the network adapters in the system into the trusted zone, after you select this in the window that says a new network has been detected. This could be 192.168.101.0 with subnet 255.255.255.0.

A client program tries to access the locally installed service at 127.0.0.1:random but fixed port.

A notification popup shows asking if you want to allow application to access the internet.

If you select no (deny) your application won't work.
If you select yes (allow) your application is allowed to access the internet (all adresses) and if that application was a server application, you are now vulnerable to attackers on an open wifi network, should you choose to use one later, because the application was allowed internet access (which overrides the untrused network zone), even though this was not required. An inexperienced user may not be aware of this.

Again, ZA should not allow inexperienced users to grant internet access for accessing non-internet IP ranges, but instead add the ranges to the trusted zone on demand.

Re: localhost loopback network is part of the internet

Last try.... Again you don't have to convince me. You need to report to ZA staff if you think there is a problem.

ZA does not by default allocate the network to the trusted zone (your 192.168.../255...). Notification should appear for 127.0.0.1 as trusted not internet (bad configuration). Allowing 127.0.0.1 does not allow all addresses, moreover the application must have server rights to the internet to do that.

Re: localhost loopback network is part of the internet

ZA does not by default allocate the network to the trusted zone (your 192.168.../255...).

Yes, I know, it asks and that's ok that way.

Originally Posted by fax

Notification should appear for 127.0.0.1 as trusted not internet (bad configuration).

As said, it doesn't. It only asks for the local network you're connected to. And even though, I rememeber it doing that for different wifi networks as well, (like 7 years ago) it doesn't do that anymore, either.

Originally Posted by fax

Allowing 127.0.0.1 does not allow all addresses, moreover the application must have server rights to the internet to do that.

Re: localhost loopback network is part of the internet

Hi!

I am afraid but we are talking but not communicating... what you are reporting is unclear and unsubstanciated. But no use to insist here better to follow up directly to ZA technical support, they may be able to help you.